A Public Thank You to Private Reporters
I never really read Microsoft's vulnerability notices that closely, but for some reason when I scanned the news yesterday, the number of "privately reported" vulnerabilities seemed to jump out at me. I believe many of these folks are the unsung heroes in bugfinding - while I may not necessarily agree with what they are doing, I am sure they believe they are doing the right thing and it is clear that they have no ego motive in doing it.
Thank you, Private Reporters. While the vulnerability you found was better off unfound, at least you reported it in a way that minimized the risk to organizations and individuals around the world.
No, it won't be perfect - obviously, reverse engineering has reached a point where the details will likely be made public - but it does make exploits slightly less likely (unless they get packaged by others) and perhaps more importantly it (hopefully) delays the exploits in some manner.
Pete, how goes? The names of the bug-finders sending in those "privately reported" issues are in the bulletins. It's always been that way.
_r
Posted by: _ryan | July 11, 2007 at 02:34 PM
I think Pete is comparing people who report bugs privately to the vendor, versus those who post bugs publicly so everyone is aware of them at the same time.
Posted by: Dan Weber | July 11, 2007 at 02:40 PM